github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 05:31:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
14,388 Commits 702 Branches 79 Tags
9df80b73e26e23114b57e11b7532bfb05d450ec3
Commit Graph

34 Commits

Author SHA1 Message Date
User
9df80b73e2 fix: allow RFC2544 benchmark range (198.18.0.0/15) through SSRF filter 
Telegram's API and file servers resolve to IPs in the 198.18.0.0/15
range (RFC 2544 benchmarking range). The SSRF filter was blocking these
addresses because ipaddr.js classifies them as 'reserved', and the
filter also had an explicit RFC2544_BENCHMARK_PREFIX check that blocked
them unconditionally.

Fix: exempt 198.18.0.0/15 from the 'reserved' range block in
isBlockedSpecialUseIpv4Address(). Other 'reserved' ranges (TEST-NET-2,
TEST-NET-3, documentation prefixes) remain blocked. The explicit
RFC2544_BENCHMARK_PREFIX check is repurposed as the exemption guard.

Closes #24973
 2026-02-24 03:28:00 +00:00
Peter Steinberger
5eb72ab769 fix(security): harden browser SSRF defaults and migrate legacy key 2026-02-24 01:52:01 +00:00
Peter Steinberger
98427453ba fix(network): normalize SSRF IP parsing and monitor typing 2026-02-22 18:55:34 +01:00
Peter Steinberger
e9ed688c2c fix(net): enable family fallback for pinned SSRF dispatcher 2026-02-22 17:54:15 +01:00
Peter Steinberger
333fbb8634 refactor(net): consolidate IP checks with ipaddr.js 2026-02-22 17:02:44 +01:00
Peter Steinberger
44dfbd23df fix(ssrf): centralize host/ip block checks 2026-02-22 15:41:41 +01:00
Peter Steinberger
ffd9b86ca4 test(ssrf): table-drive blocked hostname literal checks 2026-02-21 23:33:47 +00:00
Peter Steinberger
71bd15bb42 fix(ssrf): block special-use ipv4 ranges 2026-02-21 23:45:49 +01:00
Peter Steinberger
cc2ff68947 test: optimize gateway infra memory and security coverage 2026-02-21 21:44:50 +00:00
George Pickett
802f043e53 Net: expand cross-origin sensitive header regression test 2026-02-19 11:42:25 -08:00
Andrii Furmanets
c0cd5a7265 Net: strip sensitive headers on cross-origin redirects 2026-02-19 11:42:25 -08:00
Peter Steinberger
26c9b37f5b fix(security): enforce strict IPv4 SSRF literal handling 2026-02-19 15:24:47 +01:00
Peter Steinberger
baa335f258 fix(security): harden SSRF IPv4 literal parsing 2026-02-19 15:14:46 +01:00
Peter Steinberger
d05c8eb912 refactor: unify SSRF hostname/ip precheck and add policy regression 2026-02-19 10:25:31 +01:00
Peter Steinberger
d51929ecb5 fix: block ISATAP SSRF bypass via shared host/ip guard 2026-02-19 09:59:47 +01:00
Peter Steinberger
e8154c12e6 refactor(net): table-drive embedded IPv6 decoding and SSRF tests 2026-02-18 04:57:08 +01:00
Peter Steinberger
442fdbf3d8 fix(security): block SSRF IPv6 transition bypasses 2026-02-18 04:53:09 +01:00
cpojer
49bd9f75f4 chore: Fix types in tests 33/N. 2026-02-17 15:50:07 +09:00
cpojer
6e5df1dc0f chore: Fix types in tests 25/N. 2026-02-17 14:31:02 +09:00
Sebastian
f924ab40d8 revert(tools): undo accidental merge of PR #18584 2026-02-16 21:13:48 -05:00
smartprogrammer93
6d2e3685d6 feat(tools): add URL allowlist for web_search and web_fetch 
Add optional urlAllowlist config at tools.web level that restricts which
URLs can be accessed by web tools:

- Config types (types.tools.ts): Add urlAllowlist?: string[] to tools.web
- Zod schema: Add urlAllowlist field to ToolsWebSchema
- Schema help: Add help text for the new config fields
- web_search: Filter Brave search results by allowlist (provider=brave)
- web_fetch: Block URLs not matching allowlist before fetching
- ssrf.ts: Export normalizeHostnameAllowlist and matchesHostnameAllowlist

URL matching supports:
- Exact domain match (example.com)
- Wildcard patterns (*.github.com)

When urlAllowlist is not configured, all URLs are allowed (backwards compatible).

Tests: Add web-tools.url-allowlist.test.ts with 23 tests covering:
- URL allowlist resolution from config
- Wildcard pattern matching
- web_fetch error response format
- Brave search result filtering
 2026-02-16 23:50:18 +01:00
Peter Steinberger
58ab60c0fc perf(test): fold tls fingerprint normalization into ssrf suite 2026-02-16 02:44:59 +00:00
Peter Steinberger
4aaafe5322 refactor(net): share hostname normalization 2026-02-16 01:01:22 +00:00
Peter Steinberger
c0c0e0f9ae fix(security): block full-form IPv4-mapped IPv6 in SSRF guard 2026-02-14 22:58:38 +01:00
Marcus Castro
7ec60d6449 fix: use relayAbort helper for addEventListener to preserve AbortError reason 2026-02-13 18:13:18 +01:00
Marcus Castro
d9c582627c perf: use .abort.bind() instead of arrow closures to prevent memory leaks (#7174) 2026-02-13 18:13:18 +01:00
Peter Steinberger
99f28031e5 fix: harden OpenResponses URL input fetching 2026-02-13 01:38:49 +01:00
Peter Steinberger
9bd64c8a1f fix: expand SSRF guard coverage 2026-02-02 04:58:32 -08:00
Peter Steinberger
81c68f582d fix: guard remote media fetches with SSRF checks 2026-02-02 04:07:29 -08:00
cpojer
f06dd8df06 chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
cpojer
5ceff756e1 chore: Enable "curly" rule to avoid single-statement if confusion/errors. 2026-01-31 16:19:20 +09:00
cpojer
15792b153f chore: Enable more lint rules, disable some that trigger a lot. Will clean up later. 2026-01-31 16:04:04 +09:00
Peter Steinberger
b623557a2e fix: harden url fetch dns pinning 2026-01-26 16:05:29 +00:00
Peter Steinberger
5bd55037e4 fix: harden web fetch SSRF and redirects 
Co-authored-by: Eli <fogboots@users.noreply.github.com>
 2026-01-21 02:54:14 +00:00